Scope, gather and evaluate evidence for PCI DSS information security self-assessments for Information Technology (IT) Security’s Governance, Risk & Compliance group. Coordinate and prepare self-assessment questionnaires (SAQs) for the company’s transaction authentication processing provider. Assess corporate cyber security infrastructure policies, procedures and practices, including network security, system configurations, data encryption (both in transit and stored), vulnerability management, secure software development, logical and physical access, user authentication, and system security, including anti-malware and security logging. Review and assess security at third-party service providers (TPSPs).Identify remediation actions and monitor gaps identified through security risk and controls assessments. Document policies and procedures for closing gaps in meeting security standards requirements. Assist with creation and operation of IT general controls, program processes, procedures and workflows. Prepare and maintain targeted risk assessment of payment card environment.Create and maintain third-party risk management response catalog for use in responding to customer/vendor security questionnaire requests. Track compliance processes such as remediation plans, exception/variance handling, audit requests, and recurring audit reviews to ensure timely completion. Work with key stakeholders, leadership, business units, and other internal and external constituents to evaluate and manage information security assessments.

Managed third-party vendor risk management program for corporate Cyber Security Risk & Compliance (CSRC) department. Reviewed contract terms to ensure confidential and proprietary information and information security terms meet corporate baseline requirements; provided feedback to Legal and Procurement. Point of contact with Procurement, Legal, Lines of Business, Project Managers, and security architecture team. Maintained corporate NERC CIP-013 Supply Chain Management Questionnaire; evaluated third-party vendor responses against NERC CIP regulations. Continued to back up NERC CIP analyst as necessary.Determined risk ratings using in-house sensitive information and vendor risk tool, considering personally identifiable information (PII), critical energy/electrical infrastructure information (CEII), data classification, and where data was presented (internal or cloud). Evaluated vendor cybersecurity risk with in-house Questionnaire, SIG Lite or CSA CAIQ; SOC 1 and 2 reports as available; and additional documentation or interviews. Identified risks and remediation for vendor action.Updated risk Questionnaire to reflect current cybersecurity requirements and risk trends. Maintained vendor risk management process and procedures documentation; provide regular management reports. Supervised and trained interns, contractors and new hires (multiple individuals) in corporate vendor risk management processes and procedures.

Responsible for all aspects of Information Technology department NERC CIP compliance, including: access management, electronic access, ports and services, patch management, security event monitoring, system access control, incident reporting and response planning, backup and recovery plans for critical cyber systems, configuration change management, vulnerability assessments, transient cyber assets, and cyber asset reuse.Maintained and updated CIP processes and procedures, as well as Reliability Standard Audit Worksheets (RSAWs). Prepared and presented evidence for NERC CIP audits. Developed and managed mitigation plans for audit findings. Prepared self-logs/reports as necessary. Implemented new requirements and procedures for new versions of NERC CIP standards; Version 5 in 2016 and Version 7 (CIP-013 supply chain management guidance). Coordinated with Corporate Security regarding physical access and System Reliability (Energy Management System, or EMS) regarding device configurations and electronic access. Represented IT in corporate NERC CIP compliance program.Managed third-party vendor risk assessment program, coordinating with Procurement, Lines of Business and Project Managers. Evaluated vendor risk using in-house Questionnaire, SIG Lite or CSA CAIQ, as well as SOC 1 and 2 reports. Refined Questionnaire as needed based on changing security requirements, such as security architecture requirements. Advised management regarding risks and consult with Project Managers and vendors to remediate identified risks. Maintained residual risk assessments in risk register.

Evaluated risk of non-performing SOX controls; supervised mitigation; coordinated internal and external audit testing; and prepared IT audit responses. Reviewed technology, including SAP environment; initiated new controls or removed obsolete controls as necessary.Implemented vendor risk management program. Assessed risks of third-party software and maintained IT Security risk questionnaire. Assessed vendor risk questionnaires and SOC 1 or SOC 2 reports and advised IT Security and Procurement management regarding identified risks. Evaluated security software (e.g., encryption and firewall).Defined and enforced infrastructure configuration standards for critical NERC CIP cyber assets: monitored privileged access to critical assets; integrated standards into the configuration change management process; and developed release management testing and acceptance procedures. Provided data for NERC CIP compliance audits; prepared audit responses.

Coordinate newsletter, Web site and other avenues of communication with NJ Chapter members.

Analyzed IT infrastructure and applications using inquiry, observation or automated testing (ACL); evaluated internal controls; determined criticality of inherent and residual risk; recommended solutions to senior management to mitigate risk. Areas of expertise: business continuity planning, change control, data center operations, data warehouse, information security, network operations, order fulfillment, point-of sale (POS), SDLC, warehouse management, and 3rd-party reviews (similar to SAS 70).Evaluations and recommendations improved:• Business and functional requirements definition, leading to improvement in software quality.• Business continuity planning for the company, disaster recovery plans for critical applications.• IT operations and logical and physical security at critical Medicare Part D vendors.• Physical security at subsidiary facilities, decreasing the risk of loss of confidential information.

Presided over the New Jersey Chapter Board of Directors; directed chapter activities; communicated with ISACA International; attended International meetings as chapter representative; and developed chapter budget.

Evaluated internal controls; recommended solutions to senior management; planned reviews; researched, developed and documented information technology applications and infrastructure work programs, including database management, data warehouse, 3rd-party service organization, network management and security, and financial applications.• Identified control issues with potential for high-dollar fraud in PeopleSoft Financials processes.• Responsible for Internal Audit Department business continuity plan.

Evaluated internal controls; recommended solutions to senior management; planned reviews; developed and documented information technology infrastructure work programs, including business continuity planning, information security, network operations, operating systems, and financial applications.• Responsible for creation of dedicated Business Continuity Planning Department.

Evaluated internal controls; recommended solutions to senior management; planned reviews; researched, developed and documented information technology applications and infrastructure work programs, including database management, data warehouse, third-party service bureau, network management and security, and financial applications.• Managed IT audit staff of one Senior and one Staff, with hiring responsibilities.• Coordinated corporate data privacy policy with European subsidiaries.

Assessed risk to clients of new information systems, such as software or computing platforms, and evaluated policies and procedures implemented to control risks. Reviewed logical and physical access controls, system development, program change, business continuity plans, and end-user computing.• Developed and maintained audit programs for SAS 70 reviews; performed such reviews monthly.• Assessed/reduced potential Year 2000 risks for both domestic and international clients.• Planned audit engagements and supervised staff auditors’ work.• Developed, tested and implemented enterprise resource planning systems audit methodologies.

Developed and maintained business continuity plans and coordinated plan tests; assessed application technology and implementation risks; managed all hardware, software and environmental changes for PRODIGY service; implemented programming standards and wrote application test plans.